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Description 

The present invention relates to computer system security and, more partlcularty, to a tamper resistant access 
authorising method for controlling the access of programs, processes, or users to resources defined by a computer 
s system. 

Reference should be made to Peterson and Silberschatz, "Operating System Concepts', copyright 1 983 by Add- 
ison- Wesley Publishing Co., Chapter 11, relating to protection at pp. 387-419; and Dorothy Denning, 'Cryptography 
and Data Security', copyright 1982 by Addison-Wesley Publishing Co., Chapter 4, relating to access controls at pp. 
209-230. 

These references describe mechanisms for controlling the access of programs, processes, or users to resources 
defined by a computer system. Both Peterson and Denning apparently favour an access matrix, either statically or 
dynamically implemented, to be the protection construct of choice in such systems. 

The matrix construct uses rows to represent domains and columns to represent objects. Each entry in the matrix 
consists of a set of access rights. If a computer held a global table consisting of a set of ordered triples <user(i), object 
(j), rights set(k)>, then whenever an operation M was executed on an object OQ) by user U(i). a search would be made 
for the triple <U(i) ,0(j) ,R(k)> and the operation would be allowed to continue only upon a comparison match. 

Both references further describe several constructs derived from an access nrtatrix. These include access lists, 
capability lists, and lock and key mechanisms. It should be appreciated that an access list is list oriented, a capability 
list is ticket oriented, and a lock and key mechanism combines features of both. 
20 An access list is no more than a set of ordered pairs <U(i), R(k)> sorted on each object 0(j). A capability list is a 

transferrable set of ordered pairs <0(j). R(k)>. The capability is a ticket authorising any bearer (user in possession) R 
access rights to object O. Simple possession means that access is albwed. 

With a lock and key mechanism, each object 0(j) includes a unique bit pattern denominated a "kxik", while only 
designated ones of the users are in possessk>n of a unique bit pattem denominated a 'key'. Thus, a U(i) can obtain a 
^5 key to 0(j) only if he has access rights R(k) of a predetermined type. 

Dunham et a!., U.S. Patent 4.791 ,565, 'Apparatus for Controlling the Use of Computer Software', Issued December 
13, 1988, illustrates the 'access control list" construct. In this case, the 'access rights' are used to police license 
restrictions. Dunham uses an EPROM-based microprocessor as a dedicated server. In this arrangement, software 
usage requests, emanating from terminals and destined for a host computer, are mediated before transmission. Each 
^ request is either passed on with or without comment, or rejected, all according to criteria recited in the user software 
license. 

Pailen et al., U.S. Patent 4,652,990, 'Protected Software Access Control Apparatus and Method', issued March 
24, 1987, illustrates a 'lock and key' approach to limiting unpermitted copying. In Pailen, an interactive encrypted 
message generation process among a requesting remote terminal and a pair of mediating processors is used to check 

35 that user, object, and rights match prior to granting access. 

Wolfe, U.S. Patent 4.796,220. 'Method of Controlling the Copying of Software', issued January 3. 1989, disck)ses 
another lock and key approach in which configuratk>n information of authorised tenminals is used as part of a permission 
code computation sent by a host to the requesting terminal. The computation is appended to each request and operates 
together with the configuration data as a key for recomputation of the code on subsequent access requests made by 

40 the terminal to the host. 

The IEEE paper by S. Vinter entitled 'Extended Discretbnary Access Controls' (pages 39-49 of Proceedings of 
the 1988 IEEE Symposium on Security and Privacy, Oakland, California, April 18-21, 1988, IEEE, New york, USA) 
discbses resource access authorisatkxi control using access control lists. A client may access an object if its identity 
appears in an access control list entry that is associated with a privilege for the type of access requested. 

45 From one aspect, the present invention provides a method of controlling access to computer resources reskJent 

in a host computer of a computer system comprising the host and a plurality M of workstations connected for commu- 
nication with the host, the method comprising the steps of: 

(a) responsive to a resource access request from a workstation or user, invoking a precomputed list, the list in- 
50 eluding M workstation or user identities and an encrypted representation of the number N of workstations or users 

authorised for resource access, N being a number less than M, the encrypted representation of N being formed 
using an encryptbn key as a function of the host identity and an offset; 

(b) ascertaining the depth N to which the list may be searched by decrypting the encrypted representation of 
55 parameter N using the encryptbn key; and 

(c) comparing the identity of the workstation or user originating the service request with the identities of the M 
workstations or users on the list but only to a depth N, and authorising the access if an identity match is found but 
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otherwise refusing the access request 

Such a method is considered tamper resistant. 

In a preferred embodiment, the present invention provides a tamper-resistant method for authorising access to 
s data or application software between a host and a predetennined number N of M attached workstatbns or users, N 
being less than M, the host including a communications server for managing physical data transmission between the 
host and M workstations or users; and means for storing access control software and related information; comprising 
the steps at the host of: 

10 (a) responsive to a service request from a workstation or user, invoking access control software from the storage 

means and a precomputed list, the list including M station or user kientities and an encrypted representatbn of N 
indicative of the number of workstatbns or users authorised access or attachment to the host, the encrypted 
representation N being formed using an encryptkxi key as a function of the host kJentity and an offset; 

IS (b) ascertaining the depth N to which the list may be searched by decrypting the representation using the key; and 

(c) comparing the Identity of the workstatbn or user originating the sen/be request with the kientities of the M 
stations or users on the list but only to a depth N, and returning an authorisation only upon a match conditkxi. 

20 Such an arrangement is thought to be a tamper-resistant method for controlling the number of users given author- 

ised access to licensed software in a host-based, multiple terminal system. The software expressk»n of such can be 
embedded among the modules forming a tbensed software product. 

The above method is based on the unexpected use of an encrypted form of an authorisation list depth parameter 
As disclosed hereinafter, access to data is authorised between a host and a predetermined number N < M attached 
25 workstatbns or users. The host includes a communications server for managing physical data transmission between 
the host and the M workstations or users, and means for storing access control software and related informatbn. 

The first operation takes place at the host and includes invoking access control software from the storage means 
and invoking a precomputed list. These invocations are both In response to a service request from a workstation or 
user. The list includes M station or user identities and an encrypted representatbn of the parameter N. N :^ M represents 
30 the number of workstations or users authorised access or attachment to the host. 

The encryptbn key is a function of the host identity and an offset. In this regard, an "offset" is a constant that is 
arithmetically combined with the host identity to obscure the key For instance, the host identity coukJ be the host serial 
number hard coded in host memory, or it couki be an integer value additively combined thereto. 

The second operation involves ascertaining the value of depth parameter N by decrypting the representation using 
35 the key. The value N defines the depth to which the list is permitted to be searched. 

The third operatbn requires that the sen/ice requester bentity be compared with the items of the list to that depth 
N and an authorisatbn is returned only if a match condrtbn is found within that depth. Significantly, any change in the 
search-depth N requires re-encryptbn thereof. 

Advantageously, any host-resident Ibensed software product, a portion of whbh being downloadable to accessing 
40 terminals, embodying the method of this invention requires only a single installatbn step, in addition to regulating the 
number of authorised users. It even permits dynamb authorisation of users to a single machine since the encryption 
key is a functbn of the host bentity. Note that the use of the host bentity limits the use of the code to a predetermined 
system. 

The present inventbn will be described further by way of example with reference to an embodiment thereof as 
45 illustrated in the accompanying drawings, in which: - 

Fig. 1 depicts a host CPU-to-workstatbn download system; and 

Figs. 2-5 set out access control list examples 1-4. 

50 

Referring now to Fig. 1. there is shown a CPU 1 and a plurality of terminals 17, 19, 21, 23 coupled thereto over 
paths 9, 11, 13, 15. In the subsequent description, it shall be assumed that the CPU node runs under an operating 
system that uses a communications server similar to the system described in either 'VM/System Product Programmer's 
Gube to the Server-Requester Programming Interface for VM/System Product" (pp. 6-7). IBM publication 
55 SC24-5291-1, December 1986; or "TSO Extensbns Programmer's Guide to the Server-Requester Programming In- 
terface for MVS/XA" (pp. 1-3), IBM publbatbn SC28-1 309-1, September 1 987. 

Other computing facility resources are governed by the IBM/370 Principles of Operatbn as described in Amdahl 
et al., U.S. Patent 3,400,371, "Data Processing System", issued September 3, 1968, 
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Referring again to Fig. 1 , in addition to a usual complement of operating system services, CPU 1 preferably includes 
at least one application executable in a communicating relation with at least one terminal over a download interface 
to an accessing workstatbn over a designated path. It should be appreciated that licensed software products are 
expressed in object code only (OCO) form. They are packaged according to a structured program syntax frequently 

5 including a plurality of single entrance/single exit modules (see J. E, Nicholls, The Structure and Design of Program- 
ming Languages', The Systems Programming Series, copyright 1 975 by Addison-Wesley Publishing Co., Chapter 12, 
relating to modular programming, especially at page 486). Accordingly in the preferred embodiment, an access control 
program (ACP) and an access control list (ACL) are embedded among the product modules. Both the OCO product 
form and dispersal of the ACP and ACL among several rTKXiules should render them relatively immune from isolation 

10 and casual inspection. 

Access Control List 

The ACL preferably comprises a file containing a header record followed by one record per authorised user. The 
15 header record will characterise the number of authorised users in the list. For instance, if the header records include 
an encrypted integer value of three, then only the first three users in the ACL will be authorised to invoke the downbad 
transfer operation. 

To authorise a user, access must be made to the data set (module) containing the ACL residing In the host CPU 
1 . At this point, a new authorised ID may be entered consonant with the depth prescribed by the header record. Note 
20 that the data set may be protected additk>nally as described in IBM's Resource Control Facility (RACF) set forth in 
"OS/VS2 MVS RACF Command Language Reference". IBM publication SC28-0733. 

Referring now to Figs. 2-5, there are shown access control list examples 1 -4 according to the invention. Fig. 2 lists 
four names with a parameter depth of N=3. Thus, only the terminal or user identities GEORGE. JOHN, and MARY are 
authorised, while ROSEAU is not. In Fig. 3, the permitted depth exceeds the length of the list so that another bentity 
2S could be added. Fig. 4 shows a depth of 1, while Fig. 5 shows a list with a different CPUID. In the latter regard, the 
depth parameter wouki not be decrypted since the key is a f unctbn of a predetermined CPUID + offset. 

As a practical matter, whether the host CPU is local area network or attached to terminals, authorisatbn and access 
mechanisms rely principally upon a password nnatch. In the event of mismatch or a repeated pattem of mismatch, entry 
is merely denied. In other systems, such as the prevbusly mentioned RACF, other criteria such as kx^tbn or a value 
30 of a system clock may be used to control access. 

Access Control Program (ACP) 

Herein, there is shown one exemplary pseudocode sequence with strong PASCAL overtones, the execution of 
35 whbh embodies the method of the invention. Significantly, the ACP may be called by 
ACP(userid: char, encrypt: boot) boolean 
the declaration of the ACP program, either once per bgged-on session or more than once (e.g., every time a data 
transfer is intended to be performed), the inputs being defined as 

40 userid - a string of characters defining which userid is to be scanned in the Access Control List (ACL) 
encrypt - Boolean variable (TRUE if the ACL header is encrypted, FALSE if the ACL header is decrypted) 
ACL - Access Control List 

The sequence specifies the following functions including: 

45 

(a) Opening the file containing the ACL. 

Begin 

50 Reset (ACL 

(b) Reading the header record and decoding the depth level N. 

Read (ACL, header); 
^ If (encrypt) then begin 
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max_depth = decrypt (header, get_cpu_id) 

End; 

5 

This is implemented by decrypting the header with a key formed from the CPUID + offset according to any well- 
known encryption/decryption algorithm. Such algorithms are to be found in Ehrsam et aL, U.S. Patent 4,227,253, •Cryp- 
tographic Communk:ation Security for Multiple Donrain Networks', issued October 7, 1980; Matyas et aL, U.S. Patent 
4,218,738, "Method for Authenticating the Identity of a User of an Information System", issued August 19, 1980; and 
10 Meyer and Matyas, "Cryptography - New Dimension in Computer Data Security", copyright 1 982 by John Wiley & Sons. 

Else begin 

max_depth = header 

IS End; 
The depth number is clear in the header. 

(c) Scanning the ACL to find a match between the requester ID and the list within the decrypted depth range N. 

20 i = 0; 

Not_found = TRUE; 

While (i < inax_depth) and {not_fo\ind) do begin 
Keadin (ACL userid) 

25 — 

IF (ACL^userid = userid) then begin 
not^found = FALSE; 

End; 

30 

i = i + 1; 

End; 

Return (not_found) ; 

^ End; 

(d) If the match is successful - the returned (notjound) = FALSE -, invoke the authorised application on the host. 
Otherwise - the retumed (notjound) = TRUE -, return a message to the requesting workstation indicating UN- 

40 AUTHORISED. 

It should be noted from the sequence recited, that the two critical structures are the IF..THEN..ELSE conditional 
statement for ascertaining the depth parameter, followed by the WHILE..DO loop for scanning the ACL for a match 
condition. 

45 

Claims 

1 . A method of controlling access to computer resources resident In a host computer of a computer system comprising 
so the host and a plurality M of workstations connected for communication with the host, the method comprising the 

steps of: 

(a) responsive to a resource access request from a workstation or user, invoking a precomputed list, the list 
including M workstation or user identities and an encrypted representation of the number N of workstatbns 

55 or users authorised for resource access, N being a number less than M, the encrypted representatbn of N 

being formed using an encryption key as a function of the host identity and an offset; 

(b) ascertaining the depth N to which the list may be searched by decrypting the encrypted representatton of 
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parameter N using the encryption key; and 

(c) comparing the identity of the workstation or user originating the service request with the identities of the 
M workstations or users on the list but only to a depth N, and authorising the access if an identity match is 
5 found but otherwise refusing the access request. 

2. A method according to claim 1 , for controlling access authorisation for applk:ation programs, wherein access to 
an application program comprises invocation of the applicatbn program, and wherein the refusal of an access 
request involves a refusal message being sent to the requesting workstation or user. 

10 

3. A method according to claim 2, wherein the step of invoking the list Includes invoking access control software, the 
list and the access control software being embedded within the applicatkjn program. 

4. A method according to any preceding claim, wherein the arrangement of the host communicatively attaching the 
15 workstations or users is selected from a set consisting of a kx^al area network and a multiprogramming, multiproc- 
essing system exemplified by VM. 

5. A method as claimed in any preceding claim, wherein the method steps further include modifying the search depth 
N only by re-encrypting same. 

20 

Patentanspruche 

1. Ein Verfahren zur Kontrolle des Zugangs zu Computerressourcen, die sich in einem Host-Computer eines Com- 
25 putersystems befinden, das den Host und eine Anzahl M von Arbeitsstatbnen enthatt, die zur Kommunikation mit 

dem Host verbunden sind, wobel das Verfahren folgende Schritl umfaSt: 

(a) Auf rufen einer vorab berechneten Liste, wenn eine Arbeitsstation oder ein Benutzer den Zugang zu Res- 
sourcen anfordern. wobei die Liste M Arbeitsstatk>ns- oder Benutzeridentrtaten sowie eine verschlusselte Dar- 

30 stellung der Zahl N der Arbertsstationen oder Benutzer enthalt, die zum Zugang zu den Ressourcen berechtigt 

sind, wobei N eine kleinere Zahl ist als M und die verschlusselte Darstellung von N mit Hi If e eines Verschlus- 
setungsschlussels als Funktion der Host-ldentitat und eines Versatzes gebikJet wird; 

(b) Feststellen der Tlefe N, bis zu der die Liste durchsucht werden kann, durch Entschlusselung der verschlus- 
35 setten Darstellung des Parameters N mit Hilfe des Verschlusselungsschlussels; und 

(c) Verglebhen der Identitat der Arbeitsstation oder des Benutzers, von der bzw. dem die Diensteanforderung 
stammt, mit den Identitaten der M Arbeitsstationen oder Benutzer auf der Liste, jedoch nur bis zu einer Tlefe 
N, und Genehmigen des Zugangs, wenn eine Identitatsentsprechung gefunden wird, anderenfalls hingegen 

40 Zuruckweisen der Zugangsanforderung. 

2. Ein Verfahren nach Anspruch 1 zur Kontrolle der Zugangsberechtigung fur Anwendungsprogramme, wobel der 
Zugang zu einem Anwendungsprogramm das Auf rufen des Anwendungsprogramms umfaOt und bei der ZurOck- 
weisung einer Zugangsanforderung eine Zuruckweisungsnachricht an die anfordemde Arbeitsstatbn oder den 

^ anfordemden Benutzer geschickt wird. 

3. Ein Verfahren nach Anspruch 2, bei dem der Schritt des Auf rufens der Liste das Auf rufen von ZugangskontroHsofl- 
ware umfaBt, wobei die Liste und die Zugangskontrollsoftware in das Anwendungsprogramm integriert sind. 

50 4. Ein Verfahren nach einem der obigen Anspruche, bei dem die Anordnung des Hosts, der die Arbeitsstationen oder 
Benutzer kommunikativ verbindet. aus einer Menge ausgewahit wird, die aus einem lokalen Netz und einem Mehr- 
programm-Mehrprozessor-System wie z.B. VM besteht, 

5. Ein Verfahren nach einem der obigen Anspruche, bei dem die Schritte des Verfahrens femer das Modifizieren der 
55 Suchtlefe N allein durch deren Neuverschtusselung umfassen. 
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Revendications 

1. Proc6d6 pour commander I'acc^ k des ressources calcul r^sidant dans un calcutateur hote d'un systdme de 
trartement comprenant i'hdte et une plurality M de postes de travail connectds pour une ccxnmunication avec i'hdte, 
Is proc6d6 comprenant las stapes de: 

(a) en r^ponse ^ une demande d'acc^s k des ressources provenant d'un poste de travail ou d'un utilisateur, 
invoquer une liste pr6-calcul6e, la liste comprenant M identit6s de poste de travail ou d'utilisateur et une re- 
presentation chrffr^e du nombre N de postes de travail ou d'utilisateurs autoris6s pour acc6s k des ressources, 
N 6tant un nombre inf^rieur ^ M. ta repr^entation chitfr6e de N 6tant form6e en utilisant une c\6 de chiff rement 
en fonction de I'identite de I'hdte et d'un d^calage; 

(b) s'assurer de la hauteur N sur laquelle la liste peut dtre recherch6e par dtehrffrement de la representation 
chiff r^e du param^tre N en utilisant la c\6 de chiff rement; et 

(c) comparer I'identit6 du poste de travail ou de I'utllisateur k I'origine de ta dennande de sen/ice aux identit6s 
des M postes de travail ou utilisateurs sur la liste mais seulement sur une hauteur N. et autoriser Taccds s'il 
est trouvd une correspondance d'identitds, nrrais autrement, refuser la demande d'accds, 

2. Proc6d6 selon la revendication 1, pour commander une autorisation d'acc6s k des programmes d'application, 
dans lequel Tacc^s k un programme d'application comprend I'invocation du programme d'application, et dans 
lequel le ret us d'une demande d'acc^ implique un message de refus alors envoys au poste de travail ou k I'uti- 
tisateur demandeur. 

3. proc6d6 selon la revendication 2, dans lequel I'dtape d'invoquer la liste comprend Invoquer un logiciel de com- 
mande d'acc^. la liste et le logiciel de commando d'accte 6tant incorpor^s dans le programme d'application. 

4. Proc^de sebn I'une quelconque des revendications pr^c^dentes, dans lequel I'agencement de I'hdte connectant 
pour communication les postes de travail ou les utilisateurs, est s6lectionn6 k partir d'un ensemble constitu6 d'un 
rSseau local et d'un syst^me de multiprogrammation, de multltraltement illustr6 par VM. 



5. Proc^de selon Tune quelconque des revendications pr^c^dentes, dans lequel les stapes du proc^dd comprennent 
en outre la modification de la hauteur de recherche N unlquement par rechiff rement de celle-ci. 
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r— ACL-1 

-ENCRYPTED VALUE OF 3 WITH SEED^CPUID- 

GEORGE /* USER 1, E.G., HI, IN FIGURE I */ 

JOHN /* USER 2. E.G., H2, IN FIGURE I */ 

MARY /* USER 3, E.G., H3, IN FIGURE I */ 

ROSEALI /* USER A, E.G., WA, IN FIGURE I */ 



ACCESS CONTROL LIST, EXAMPLE 1 

Fig. 2 



— ACL-2 

-ENCRYPTED VALUE OF 5 WITH SEED=CPUID- 

GEORGE /* USER 1, E.G., Wl, IN FIGURE 1 */ 

JOHN /* USER 2. E.G., W2, IN FIGURE 1 */ 

MARY /* USER 3, E.G., W3, IN FIGURE 1 */ 

ROSEALI /* USER A, E.G., WA, IN FIGURE 1 */ 



ACCESS CONTROL LIST. EXAMPLE 2 

Fig. 3 



— ACL-3 

1 

GEORGE /* USER 1, E.G., Wl, IN FIGURE I ^/ 

JOHN USER 2, E.G., W2, IN FIGURE 1 */ 

MARY /* USER 3, E.G., W3, IN FIGURE 1 */ 

ROSEALI /* USER A, E.G., WA, IN. FIGURE 1 */ 



ACCESS CONTROL LIST, EXAMPLE 3 

Fig. 4 



— ACL-A 

-ENCRYPTED VALUE OF 3 WITH SEED-A DIFFERENT CFUID THAN THE HOST- 
GEORGE . /* USER i, E.G., Wl, IN FIGURE 1 */ 
JOHN USER 2, E.G., W2, IN FIGURE 1 V 
MARY /* USER 3, E.G., W3, IN FIGURE 1 */ 
ROSEALI /* USER A, E.G.. WA, IN FIGURE 1 */ 



ACCESS CONTROL LIST, EXAMPLE A 

Fig. 5 



